PatchSiren cyber security CVE debrief
CVE-2023-52952 Siemens CVE debrief
A restricted desktop environment escape vulnerability exists in the Kiosk Mode of Siemens HiMed Cockpit medical devices. An unauthenticated local attacker can exploit this flaw to break out of the restricted environment and gain access to the underlying operating system. This vulnerability affects four HiMed Cockpit models used in healthcare environments, where kiosk mode is typically deployed to limit user interaction to specific clinical applications. The CVSS v3.1 score of 8.5 (HIGH) reflects significant impact potential including availability compromise, with scope change indicating impact beyond the vulnerable component. The attack requires local access but no privileges or user interaction, making it exploitable by anyone with physical access to the device. Siemens has released a vendor fix in version V11.6.2 or later. Healthcare organizations should prioritize patching given the sensitive nature of medical data and potential for lateral movement from compromised endpoints.
- Vendor
- Siemens
- Product
- HiMed Cockpit 12 pro (J31032-K2017-H259)
- CVSS
- HIGH 8.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-10-08
- Original CVE updated
- 2025-05-06
- Advisory published
- 2024-10-08
- Advisory updated
- 2025-05-06
Who should care
Healthcare delivery organizations, biomedical engineering teams, clinical IT security staff, and medical device asset managers responsible for Siemens HiMed Cockpit deployments in hospital and clinical environments.
Technical summary
The Kiosk Mode implementation in Siemens HiMed Cockpit devices fails to properly restrict user access to the underlying operating system. An unauthenticated attacker with local access can escape the restricted desktop environment, gaining full OS access. The vulnerability affects HiMed Cockpit 12 pro, 14 pro+, 18 pro, and 18 pro+ models. The CVSS v3.1 vector (AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H) indicates local exploitation with scope change, enabling impact beyond the kiosk application to the host system. Siemens has addressed this in version V11.6.2, available through customer support channels.
Defensive priority
high
Recommended defensive actions
- Contact Siemens customer support to obtain patch V11.6.2 or later for affected HiMed Cockpit devices
- Prioritize patching devices in high-traffic or publicly accessible clinical areas where physical access risk is elevated
- Review and restrict physical access to HiMed Cockpit devices to authorized personnel only
- Monitor for anomalous system behavior or unauthorized process execution on affected devices pending patch deployment
- Apply defense-in-depth controls per CISA ICS recommended practices for medical device environments
- Verify kiosk mode configuration and application whitelisting after patching to ensure security controls remain effective
Evidence notes
Vulnerability description and affected products confirmed through CISA ICS advisory ICSA-24-284-08 and Siemens security advisory SSA-540493. CVSS vector indicates local attack vector, low attack complexity, no privileges required, no user interaction, scope change, with low confidentiality and integrity impact but high availability impact. Remediation guidance specifies update to V11.6.2 or later with customer support contact required for patch delivery.
Official resources
-
CVE-2023-52952 CVE record
CVE.org
-
CVE-2023-52952 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-10-08